It’s all over the news at the moment: Media giant Netflix wants us to stop sharing our passwords with people that do not live in the same household. The world's most beloved streaming service reported revenues of 24,996 Million in 2020, so is this intended crack-down on illicit use just mean-spirited?
Password sharing may seem harmless enough, but it actually puts not just your business, but also your employees and customers at risk. Find out why and, more importantly, what you as a software company can do to prevent it.
Password sharing involves multiple privileged parties sharing a single set of log-in details for an account. These may be people within the same household, employees of the same company, third parties such as contractors, or even sub-contractors.
That mostly depends on where you live. In the U.S., according to the Computer Fraud and Abuse Act, sharing passwords is illegal. The CFAA prohibits intentionally accessing a computer without, or in excess of, authorisation. In the UK on the other hand, letting someone else use your digital credentials, is not currently in breach of any Act, including the Data Protection Act.
No. However, from a business perspective, any information that an employee has on a company computer, (including passwords), are the property of the business not the employee. Therefore businesses currently can (and do) make it a company policy for users to share passwords to licenced software applications - despite the potentially devastating risks associated with doing so.
For companies that are serious about their intellectual property rights unauthorised software access represents a big challenge. Password sharing grants someone access to applications that they may or may not have paid for. Lost revenues aside for a moment, it’s not knowing who that ‘someone’ is, that presents one of the biggest problems.
Software piracy is a grey area. Legally, (unless you are actually robbing a ship at sea), there is no such thing as ‘Piracy Law’. Intellectual property, which includes computer software, is legally protected by copyright law. However, even though it may have been password sharing that granted someone access to an application, ultimately it does not cause copying and therefore password sharing is not copyright infringement.
It’s not unusual for the terms of a software license to explicitly permit users to make a copy of a program for back-up purposes. However, copyright law forbids users from giving a copy of a software programme to a friend or colleague. Copyright law can be difficult to enforce, especially if, thanks to password sharing, you do not know exactly who is accessing your applications. Even if only two users access a programme with the same log-in details, and one rogue actor creates an illegal copy of the software, how will you identify the rogue?
Lost revenue is one of the most obvious problems. Even if just 5% of the 203.67 million Netflix subscribers mentioned above share their account details illegitimately, based on the cheapest Netflix plan, this equates to around £70 Million in lost revenue - per month! And we’re willing to wager that more than 5% of Netflix users should currently be sitting on the naughty step.
Diluting revenues through illicit access means that there is less money available to pay developers or artists. Unauthorised access eats away at your bottom line and eventually standards will start to slip and creativity may be lost.
A less obvious, but potentially more serious issue with password sharing is that the security risks are simply too great. The more often passwords are shared, the more likely it is that the proverbial chickens will come home to roost.
Businesses will often try to save money by sharing login details for user-limited accounts, with some even designating a separate computer as a ‘tools’ computer, which everyone in an office can use. However there are much better ways to manage concurrent usage than by sharing passwords.
Even seemingly minor systems that hold relatively few functions or limited data are still vitally important from a cyber security perspective. They can be the doorway that leads to much more critical business systems or sensitive client and employee data. System breaches not only cost a fortune to investigate and recover from, they can also cost millions in regulatory fines. Just ask Equifax, who agreed to pay $575 million following their data breach in 2017. Stolen customer databases are big business on the Dark Web!
Secure passwords are hard to remember and most people struggle to remember one, let alone 2 or 3. Without us even going into sophisticated technology like eavesdropping devices or key-logging malware, passwords can easily be overheard. How often have you seen a password scribbled on a post it note and stuck to the side of a monitor? Multiple systems can be compromised through that one, seemingly unimportant log-in.
10Duke are identity and access management experts. We can provide you with a combination of powerful tools that help you ensure that the right people have access to the right things at the right time, without compromising the end-user experience. 10Duke also has the right solution for every organisation and can help you eliminate password sharing through:
When each user is given their own, unique login that’s based on their own, unique identity, it is access to software that is shared - not passwords. Identity-based licensing is the most modern way of licensing your products and managing your customer information, whilst making your product easy to access for your customers. Click here to learn more.
No matter how many people require access to a product, floating software licenses mean that every user can be provided with a separate, unique account login, without ever accidentally over-using entitlements. The number of simultaneous logins can be restricted, meaning that it’s not possible for a rogue user and a legitimate user to access a network at the same time. If a user does decide to share their password, they will block their own access to a network.
Not every client or employee needs privileged access to every licenced application within a business. People move on or up, and when that happens instead of changing or resetting passwords, you can simply remove or modify their entitlements accordingly.
Access can also be restricted to certain hours, tied to a MAC address, limited to certain locations, or tied to an IP address. Enabling admins to only grant access to shared licenses when and where they are needed, reduces opportunities for unnecessary account access. History logs also provide admins with oversight on which accounts are being shared and who has access to them. Access rights can also immediately be revoked in the event that you think a password may have become compromised.
Multi-factor authentication is an additional layer of security that makes it impossible for a rogue user to use valid credentials and also defends against password cracking software. Every time a user logs in, a second form of authentication is required, which is usually delivered by text or through an app, but can also be delivered in other ways. Learn more about MFA here.
Passwords are one of the main focuses of cyber criminals and every time a user enters a password it presents an opportunity for an account to be hacked. When single sign-on is implemented as part of an identity and access management solution it creates a robust cyber security strategy that limits the attack surface. Single sign-on can even help with compliance regulations by enabling automatic log-off and faster deprovisioning of users.
Password sharing is a false economy that creates a gaping cyber security hole that bad actors are just itching to slip through, an intrusion which, depending on the industry, can take between 98 and 197 days for a company to detect.
With identity-based licensing, legitimate software use can easily be shared amongst a large group of users without clients having to pay for more licenses than they need, or compromising security via password sharing.
By implementing a cost-effective, identity-based access management solution and combining it with powerful tools like multi-factor authentication and single sign-on, you can ensure that access to shared software accounts is only granted to the people that need it.
10Duke identity and access management solutions come with a range of advanced additional features to help you secure your company’s most valuable assets, covering everything from enforced password hygiene to secure storage for your data.
Password sharing may seem harmless, but it actually puts your business, employees and customers at risk. Find out why what you can do to prevent it.